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Abstract. Paul Kocher recently developped attacks based on the elec- 
tric consumption of chips that perform cryptographic computations. A- 
mong those attacks, the "Differential Power Analysis" (DPA) is probably 
one of the most impressive and most difficult to avoid. 
In this paper, we present several ideas to resist this type of attack, and 
in particular we develop one of them which leads, interestingly, to rather 
precise mathematical analysis. Thus we show that it is possible to build 
an implementation that is provably DPA-resistant, in a "local" and re- 
stricted way (i.e. when — given a chip with a fixed key - the attacker 
only tries to detect predictable local deviations in the differentials of 
mean curves). We also briefly discuss some more general attacks, that 
are sometimes efficient whereas the "original" DPA fails. Many measures 
of consumption have been done on real chips to test the ideas presented 
in this paper, and some of the obtained curves axe printed here. 

Note: An extended version of this paper can be obtained from the authors, 
1 Int r o duct ion 

This paper is about a way of securing a cryptographic algorithm that makes use 
of a secret key. More precisely, the goal consists in building an implementation 
of the algorithm that is not vulnerable to a certain type of physical attacks - 
so-called "Differential Power Analysis' 7 . 

These DPA attacks belong to a general family of attacks that look for infor- 
mation about the secret key by studying the electric consumption of the elec- 
tronic device during the execution of the computation. In this family, we usually 
distinguish between SPA attacks ("Simple Power Analysis") and DPA attacks. 

In SPA attacks, the aim is essentially to guess - from the values of the 
consumption - which particular instruction is being computed at a certain time 
and with which input or output, and then to use this information to deduce some 
part of the secret. Figure 1 shows the electric consumption of a chip, measured 
during a DES computation on a real smart card. The fact that the 16 rounds of 
the DES algorithm are clearly visible is a good sign that power analysis attacks 
may indeed provide information about what the chip is doing. 

* Patents Pending 




Fig, 1. Electric consumption measured on the 16 rounds of a DES computation 



In DPA attacks, some differentials on two sets of average consumption are 
computed, and the attacks succeed if an unusual phenomenon appears - on 
these differentials of consumption - for a good choice of some of the key bits 
(we give details below) , so that we axe able to find out those key bits. What 
makes DPA attacks so impressive, when they work, is the fact that they can 
find out the secret key of a public algorithm (for example DES, but also many 
other algorithms) without knowing anything (nor trying to find anything) about 
the particular implementation of that algorithm* Implementations exist that are 
DPA-resistant (differentials do not show anything special) but not SPA-resistant 
(some critical information can be deduced from the consumption curves). On 
the contrary, other implementations exist that are SPA-resistant but not DPA- 
resistant (some critical information can be found by studying differentials of two 
mean curves of consumption). Finally, some implementations can be found that 
resist both types of attack (at least at the present), or none of them. 

Throughout this paper, we study more particularly DPA and we will not deal 
any longer with SPA. Indeed, as we see below, DPA can easily be analyzed in a 
mathematical way (and not only in an empirical way). There exist many attacks 
based on the electric consumption. We do not claim to give here solutions to all 
the problems that may result from these attacks. 



The cryptographic algorithms we consider here make use of a secret key in 
order to compute an output information from an input information. It may be a 
ciphering, a deciphering or a signature operation. In particular, all the material 



described in this paper applies to "secret key algorithms" and also to the so- 
called "public key algorithms" . 

2 The "Differential Power Analysis" attacks 

The "Differential Power Analysis" attacks, developped by Paul Kocher and Cryp- 
tographic Research (see [1]), start from the fact that the attacker can get many 
more information (than the knowledge of the inputs and the outputs) during 
the execution of the computation, such as for instance the electric consumption 
of the microcontroller or the electromagnetic radiations of the circuit. The "Dif- 
ferential Power Analysis" (DPA to be brief) is an attack that allows to obtain 
information about the secret key (contained in a smaxtcard for example) , by per- 
forming a statistical analysis of the electric consumption records measured for 
a large number of computations with the same key. Let us consider for instance 
the case of the DES algorithm (Data Encryption Standard). It executes in 16 
steps, called "rounds". In each of these steps, a transformation F is performed 
on 32 bits. This F function uses eight non-linear transformations from 6 bits to 
4 bits, each of which is coded by a table called "S-box". The DPA attack on 
the DES can be performed as follows (the number 1000 used below is just an 
example): 

Step 1 : We measure the consumption on the first round, for 1000 DES computa- 
tions. We denote by E ly jBiooo the input values of those 1000 computations. 
We denote by Ci, Ciooo the 1000 electric consumption curves measured dur- 
ing the computations. We also compute the "mean curve" MC of those 1000 
consumption curves. 

Step 2 : We focus for instance on the first output bit of the first S-box during the 
first round. Let b be the value of that bit. It is easy to see that 6 depends on only 
6 bits of the secret key. The attacker makes an hypothesis on the involved 6 bits. 
He computes - from those 6 bits and from the E* - the expected (theoretical) 
values for 6. This enables to separate the 1000 inputs E\ r £1000 into two 
categories: those giving 6 = 0 and those giving 6 = 1. 

Step 3 : We now compute the mean MC" of the curves corresponding to inputs 
of the first category (i.e. the one for which 6 = 0). If MC and MC" show an 
appreciable difference (in a statistical meaning, i.e. a difference much great en 
than the standard deviation of the measured noise), we consider that the chosen 
values for the 6 key bits were correct. If MC and MC" do not show any sensible 
difference, we repeat step 2 with another choice for the 6 bits. 

Note: In practice, for each choice of the 6 key bits, we draw the curve repre- 
senting the difference between MC and MC As a result, we obtain 64 curves, 
among which one is supposed to be very special, i.e. to show an appreciable 
difference, compared to all the others. 



Step 4: We repeat steps 2 and 3 with a "target" bit b in the second S-box, then 
in the third S-box, until the eighth S-box. As a result, we finally obtain 48 
bits of the secret key. 

Step 5: The remaining 8 bits can be found by exhaustive search. 

Note: It is also possible to focus (in steps 2, 3 and 4) on the set of the four 
output bits for the considered S-boxes, instead of only one output bit. This is 
what we actually did for real smartcards. In that case, the inputs are separated 
into 16 categories: those giving 0000 as output, those giving 0001, those 
giving 1111. In step 3, we may compute for example the mean MC" of the curves 
corresponding to the last category (i.e. the one which gives 1111 as output). As 
a result, the mean MC 1 is computed on approximately j$ of the curves (instead 
of approximately half of the curves with step 3 above): this may compel us to 
use a number of DBS computations greater than 1000, but it generally leads to 
a more appreciable difference between MC and MC. 

We presented in figures 2 and 3 two mean curves, resulting from steps 2 and 3, 
for a classical implementation of DES on a real smartcard (with '1111' as target 
output of the first S-box and with 2048 different inputs, even if we noted that 
512 inputs are sufficient). A detailed analysis of the 64 obtained curves (that we 
cannot all print here, due to the lack of place) shows that the one corresponding 
to the correct choice of the 6 key-bits can easily be detected (it contains much 
greater peaks than all the others). 
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Fig. 2. An example of difference of the curves MC and MC 1 when the 6 bits are false 




Fig* 3. Difference of the curves MC and MC f when the 6 bits are correct 



This attack does not require any knowledge about the individual electric 
consumption of each instruction, nor about the position in time of each of these 
instructions. It applies exactly the same way as soon as the attacker knows the 
outputs of the algorithm and the corresponding consumption curves. It only 
relies on the following fundamental hypothesis: 

Fundamental hypothesis; There exists an intermediate variable, that ap- 
pears during the computation of the algorithm, such that knowing a few key bits 
(in practice less than 32 bits) allows us to decide whether two inputs (respectively 
two outputs) give or not the same value for this variable. 

All the algorithms that use S-boxes, such as DES, are potentially vulnerable 
to the DPA attack, because the "natural" implementations generally remain 
within the hypothesis mentioned above. 



3 Securing the algorithm 



Several countermeasures against DPA attacks can be conceived. For instance: 

1. Introducing random timing shifts, so that the computed means do not cor- 
respond any longer to the consumption of the same instruction. The crucial 
point consists here in performing those shifts so that they cannot be easily 
eliminated by a statistical treatment of the consumption curves. 



2. Replacing some of the critical instructions (in particular the basic assembler 
instructions involving writings in the carry, readings of data from an array, 
etc) by assembler instructions whose "consumption signature" is difficult to 
analyze. 

3. For a given algorithm, giving an explicit way of computing it, so that DPA 
is provably unefficient on the obtained implementation. For instance, for a 
DES-like algorithm, we detail in section 4 how to compute the non-linear 
transformations of the S-boxes in order to avoid some DPA attacks. 

* In the present paper, we essentially study the third idea because it leads to 
a quite precise mathematical analysis. We give in this section a general method 
to implement an algorithm with a secret key so as to avoid the DPA attacks 
described above. The basic principle consists in programming the algorithm so 
that the fundamental hypothesis above is not true any longer (i.e. an interme- 
diate variable never depends on the knowledge of an easily accessible subset of 
the secret key). 

The main idea 

In this paper, we mainly study how this can be done by using the following main 
idea: replacing each intermediate variable V, occuring during the computation 
and depending on the inputs (or the outputs), by A; variables Vi, V k , such 
that Vi, V2, 14 allows us - if we want - to retrieve V. More precisely, to 
guarantee the security of the algorithm in its new form, it is sufficient to choose 
a function / satisfying the identity V = /(Vi, ..., Vfc), together with the two 
following conditions: 

Condition 1; From the knowledge of a value v and for any fixed value i, 1 < 
i < k, it is not feasible to deduce information about the set of the values Vi such 
that there exist a (k — l)-upie (vi, ...,t/i-i, v*+n— 1 v k ) satisfying the equation 
f(vi,... 7 v k ) = v. 

Condition 2: The function f is such that the transformations to be performed 
on Vi, V2, or Vk during the computation (instead of the transformations 
usually performed onV) can be implemented without calculating V. 

First example for condition 1: If we choose /(t>i, Vk) = v± © vz © ... © v k , 
where © denotes the bit-by-bit "exclusive-or" function, condition 1 is obviously 
satisfied, because - for any fixed index i between 1 and k - the considered set of 
the values Vi contains all the possible values and thus does not depend on v. 

Second example for condition 1: If we consider some variable V whose 
values lie in the multiplicative group of Z/nZ, we can choose the function 
f(vi, ...jVk) = v\ ' V2 m • Vk mod n, where the new variables t>i, t>2, ■ • • 7 Vk also 
have values in the multiplicative group of Z/nZ. Condition 1 is also obviously 
true because - for any fixed index i between 1 and k - the considered set of the 
values Vi contains all the possible values and thus does not depend on v. 



We then "translate" the algorithm by replacing each intermediate variable 
V depending on the inputs (or the outputs) by the k variables Vi, V^. In the 
following sections, we study how conditions 1 and 2 can be achieved in the cas^ 
of the DES or RSA algorithms. 

4 The DES algorithm: First example of implementation 
for DPA resistance 

In this section, we consider the particular case of the DES algorithm. We choose 
here to separate each intermediate variable V, occuring during the computation 
and depending on the inputs (or the outputs), into two variables Vi and V 2 (i.e. 
we take k — 2). Let us choose the function /(vi, v 2 ) — v = vi © v 2 (see the 
first example of section 3), which satisfies condition L From the construction of 
the algorithm, it is easy to see that the transformations performed on v always 
belong to one of the five following categories: 

1* permutation of the bits of v\ 

2. expansion of the bits of v; 

3, "exclusive-or" between v and another variable v f of the same type; 

4, "exclusive-or" between v and a variable depending only on the key; 

5. transformation of v using a S-box. 

The first two cases correspond to linear transformations on the bits of the 
variable v. For these ones, condition 2 is thus very easy to satisfy: we just have 
- instead of the transformation usually performed on v - to perform the permu- 
tation or the expansion on v\, then on v 2 , and the identity f(vi,v 2 ) = which 
was true before the transformation, is also true afterwards. 

In the same way, in the third case, we just have to replace the computation of 
v" = v © v f by the computation of v" = vi © v[ and v 2 = v 2 © v' 2 . The identities 
/(vi, v 2 ) — v and f(v[, v' 2 ) = v f give indeed f{v",v 2 ) = v", so that condition 2 
is true again. 

As concerns the exclusive-or between v and a variable c depending only on 
the key, condition 2 is also very easy to satisfy: we just have to replace the 
computation of v © c by v\ © c (or v 2 © c) and that gives condition 2. 

Finally, instead of the non-linear transformation v 9 = S(v),' given under 
the form of a S-box (which in that example has 6-bits inputs and 4-bits out- 
puts), we implement the transformation (vi,v 2 ) == S'( v i> v 2) by using two nsw 
S-boxes (each of which sending 12 bits onto 4 bits). In order to keep the identity 
/( u i> v t) = v '> we ma y choose: 

K^2)= 5 ^i)^) = (A(v u v 2 ),S(v 1 ®v 2 ) © A(v u v 2 )). 

where A denotes a randomly chosen secret transformation from 12 bits to 4 
bits (see figure 4). The first of the new S-boxes corresponds to the table of the 
transformation {v\,v 2 ) 1— > A(vi 1 V2) J and the second one corresponds to the table 
of the transformation (v 1? v 2 ) S(vi ®v 2 ) © A(vi, v 2 ). Thanks to the randomly 
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Initial implementation: the predictable values 
v and v' appear in RAM at some time 
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Modified implementation: the values v = vi © V2 and 
1/ = © V2 never explicitely appear in RAM 



Pig. 4. Standard transformation of a S-box 



chosen function A, condition 1 is satisfied. Moreover, the use of tables allows i 
to avoid the computation of v\ © V2 7 so that condition 2 is also true. 

The solution presented in this section is quite realistic for chips that compul 
DES in hardware (and are not embedded in a card), or for PCs, because - 3 
those cases - enough memory is available. More precisely, the size of the memoi 
required to store the S-boxes is 32 Kbytes for the method described in th 
section. It is too much for smartcards, for which specific variations using le: 
memories are described in section 5 below. 

5 Smartcard implementations of DES 
First variation 

In order to reduce the ROM used by the algorithm, it is quite possible to uj 
the same random function A for the eight S-boxes (of the initial description < 
the DES), so that we have only nine (new) S-boxes (i.e. 18 Kbytes) to store 3 
ROM, instead of sixteen S-boxes. 

Second variation 

In order to reduce the size of the ROM needed to store the S-boxes, we can ah 
use the following method: instead of each non-linear transformation v 9 — S(v) < 
the initial implementation, given under the form of a S-box (with 6-bits inpu* 
and 4-bits outputs in the case of the DES), we implement the transformatic 
( v i> v 2) = S'( v ii v 2) by using two S-boxes, each of which sending 6 bits onto 
bits. The initial implementation of the computation v* = S(v) is replaced by tl 
two following successive computations: 

- v 0 = ip{yx © v 2 ) 

- KX) = S 9 (v 1} v 2 ) = (AN, S^ivo)) e%)) 

where (p is a bijective and secret function from 6 bits to 6 bits and where 
denotes a random and secret transformation from 6 bits to 4 bits. The fir; 
of the two new S-boxes corresponds to the table of the transformation vq *• 
A(vq) and the second one corresponds to the table of the transformation vq fr- 
S(<£> -1 (ro)) © A(v 0 ). Prom this construction, the identity f(v[, v f 2 ) = v' is alwa] 
true. Thanks to the random function A, condition 1 is satisfied. Moreover, tl 
use of tables allows us to avoid the computation of <P~~ 1 (vq) = vi © v 2j so th; 
condition 2 is also true. This solution (shown in figure 5) requires 512 bytes 1 
store the S-boxes. 

In order to satisfy condition 2, it remains to choose the bijective transform; 
tion cp such that the computation of = <f(vi®V2) is feasible without computir 
vi © V2* We give below two examples of possible choice for the function cp. 
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Modified implementation: the values v = v\ 0 V2 and 
v' = ^ © ^2 never explicitely appear in RAM 



Fig. 5. Transformation of a S-box (second variation) 



For instance, the matrix 



is invertible. It corresponds to the 



Exemple 1: a linear bijection 

We choose (p as a linear secret and bijective function from 6 bits to 6 bits (we 

consider the set of the 6-bits values as a vectorial space of dimension 6 on the 

finite field F2 with 2 elements). In practice, choosing <p is equivalent to choosing 

a random and invertible 6x6 matrix whose coefficients are 0 or 1. With this 

choice of (p> it is easy to see that condition 2 is satisfied. Indeed, to compute 

<p(v\ (B v 2 ), we just have to compute <p{v{), then ip{v 2 ) and finally to compute 

the u exclusive-or" of the two obtained results. 

/I 101 00\ 

110 10 1 

0 110 10 

111010 

0 11110 

\6 0 1.1 0 1 / 

linear bijection <p from 6 bits to 6 bits defined by <p(ui, u 2y U3, U4, U5, u 6 ) = (ui © 

Let vi = (^1,1,^1,2,^1,3, ^^4,^1,5,^1,6) and v 2 = (v 2 , 1,^2,2, *>2,3,*>2,4,V2,5, 
^2,6)- To compute <p{v\ ©^2), we successively compute: 

~ <p(vi) = (*>1,1 ©*>1,2© ^1,4,^1,1 © Vl t 2 ©*>1,4 © V ljG ,V ly2 © Vi f3 © t/ 1?6j V ltl © 
^1,2 ©*>1,3 ©^1,5,^1,2 ©^1,3© Vi f 4 ©^1,5,^1,3 © *>1,4 © *>l,e) 

- <£?(<U 2 ) = (^ 2 ,1 © v 2 ,2 © *>2,4, V 2 ,l © V 2 ,2 © ^2,4 © V 2,6, "2,2 © ^2,3 © ^2,5, ^2,1 © 
^2,2 © ^2,3 © ^2,5, ^2,2 © ^2,3 © V 2A © ^2,5,^2,3 © *>2,4 © V 2fi ) 

Then we compute the "exelusive-or" of the two obtained results. 



Exemple 2: a quadratic bijection 

We choose <p as a quadratic secret and bijective function from 6 bits to 6 bits. 
Here, "quadratic" means that each bit of the output is given by a polynomial 
function of totaJ degree two of the 6 bits of the input (which axe identified to 6 
elements of the finite field F2). In practice, we may choose the function (p defined 
by (p(x) = £(s(a;) 5 ), where s is a secret linear bijection from (F 2 ) 6 to £, t is a 
secret linear bijection from £ to (F2) 6 and C denotes an algebraic extension of 
degree 6 over the finite field F2. The bij ectivity of this function <p follows from 
the fact that a »— » a 5 is a bijection on the extension C (whose inverse is 6 1 — ► 6 38 ). 
To be convinced that condition 2 is still satisfied, just notice that we can write: 

<p(v 1 ®v 2 ) = V>(t>i,vi) ®il>(v l9 v 2 ) © j>(v2,vt) ®^{v 2y v 2 ), 

where the function tp is defined by tp(x,y) = t(s(x) 4 • s(y)). 

For instance, if we identify C to F 2 [X]/(X 6 + X + 1) and if we choose s and t 



whose matrices are 



/ll0100\ 
110101 
0 110 10 
111010 
011110 
V001 10 Ij 



and 



/OlOO l l\ 
110100 
10 10 11 
011100 
10 10 10 
\0010 1 IJ 



with respect to the basis 



(1, X, X 2 , X 3 , X 4 \ X s ) of C over F 2 and to the canonical basis of (F 2 ) 6 over F 2 , 
we obtain the following quadratic bijection cp from 6 bits to 6 bits: ■ 

U4U3 , U2U5 © u$ui © mil* © U4 © ue © u^us © tt 2 © ^3 © u 3 Ui , v> 2 us © u$ui © ueus © 

Uit64 ©Ui ©U4U6 ©^6^3 ©tt3^1, ttl^ 4 ©1X2^3 ©^6^1 © ^4^6 © u 5 © 

^6^3 © ^4^3 1 t^S^l © 1X1^4 © 1*6 © ^3^5 © U4U5 © ^1 © UqU\ © U4UQ © © U6U3 © 
U4U2,U>4 © TX6 © ^3^5 © ^1 © U 4 U 6 © ^6^X3). 

To compute <p(vi (Bv 2 ), we use the function = t(s(x) 4 • s(y)) from 12 

bits to 6 bits, which gives the 6 output bits from the 12 input bits as follows: 

ip(xi , x 2 , x 3 , x 4 , x 5 , x 6 , y i , ?/ 2 , 2/3 , J/4 , ys , Ve) — fays © x e y 2 © x 6 y3 © *ey4 © ^32/ i © 

^62/1 © Xiy 3 © XxJ/5 © X 5 2/ 2 © X 5 7/ 5 © ^5j/l © ^62/6 © ^12/6 © ^12/2 © ^12/4 © ^22/1 © 
X 2 y 2 © X 4 J/4 © X32/3 © X32/6 © ^42/3 © ^52/3 , X42/5 © X32/1 © X 6 2/l © X 2 2/5 © 2:52/1 © ^62/6 © 

2:12/6 ©2:12/2 ©2: 2 2/i ©x 2 y 2 ©x 4 2/! ©X42/4 ©x 3 2/3 ? ^62/2 ©2:62/3 ©2:e2/4 ©2:62/5 ©2:3yi © 
x$yi © x 2 y 5 © x 5 yi © xiy 6 © 2:12/1 © xiy 2 © xiy 4 © x 2 y\ © x 2 y 4 © x±y 2 © x 2 y 6 © 
2:3 y4 ©^52/3, 2:37/1 ©x 6 y 2 ©2: 2 y 6 ©2:52/3 ©2: 5 y4 ®x s ye ®x 6 y 3 ®x 2 y 3 ©X42/6 ©^62/5 © 
X12/3 © *5?/5 © 2: 2 y4 © 2: 4 y 2 © 2: 4 ys © x 3 y$ © x 4 y 3 © 2: 6 y 1 © 2: 4 y 1 , 2: 3 y 1 © x e ye © x$y 3 © 
x$y6 © 2: 5 y 2 © 2:12/5 © x x yi © x±y 2 © x 2 yi © x 2 y 3 © x 3 y e © x 6 ys © x x y 3 © x 2 y± © 
x 3 y 3 © x±ys © x 2 y s © x 6 yi © 2: 4 y 1 © x 6 y 4 © x 3 y 2 , x 6 y6 ®x A y 4 ® x 5 y 4 © xsV6 © 2:6 y3 © 
x\y$ © © Xiy 2 © x 2 yi © x 6 ys © x 2 y 4 © x 4 y 2 © x 4 y 5 © x 3 y s © x 6 yi © x 6 y 4 ). 

By using these formulas, we successively compute ^(vi,t/i), ^{v\,v 2 )^ i/j(v 2 ,vi) 
and i/s(v 2i v 2 ). Finally, we compute the "exclusive-or" of the four obtained results. 

Third variation 

To further reduce the size of the ROM needed to store the S-boxes, we can apply 
simultaneously the ideas of both variations 1 and 2: we use the second variation, 
with the same secret bijection y> (from 6 bits to 6 bits) and the same secret 
random function A (from 6 bits to 6 bits) in the new implementation of each 
non-linear transformation given by a S-box. This variation thus requires only 
288 bytes to store the S-boxes. We have applied the Differential Power Analy- 
sis on real smartcard implementations of this third variation. Two examples of 
differential mean curves (with 2048 inputs and with 'HIT as target output of 
the first S-box) are presented in figures 6 and 7. A precise analysis of the 64 
curves given by the DPA (see note after step 3, in section 2) shows that none of 
them appears to be "very special", compared to the others, so that we can say 
that this implementation resists the DPA attack (at least in its basic form, see 
appendix 2 for a possible generalization that could still be dangerous). 

Fourth variation 

In this last variation, instead of implementing the transformation (^1,^2) = 
S"(ui>^2) (which replaces the non-linear transformation v' = S(v) of the initial 
implementation, given by a S-box) by using two S-boxes, we perform the com- 
putation of v\ (respectively v' 9 ) by using a simple algebraic function (i.e. the bits 




Fig. 7. Difference of the curves MC and MC r when the 6 bits are correct 



of v'i (respectively v 2 ) are given by a polynomial function of total degree 1 or 2 
of the bits of v\ and i>2), then we compute v 2 (respectively v[) by using a table. 
This enables to reduce again the needed ROM for the implementation. This last 
variation requires only 256 bytes to store the S-boxes. 

6 The RSA algorithm 

The "Power Analysis" attacks also threaten the classical implementations of the 
RSA algorithm. Indeed, these implementations often use the so-called "square- 
and-multiply" principle to perform the computation of x d mod n. It consists in 
writing the binary decomposition d — <f m __ i 2 m " 1 + d rn - 2 2 ?n ~~ 2 +... + d\2 x +d 0 2° 
of the secret exponent d, and then in performing the computation as follows: 

1. z«- 1; 

For i going backwards from m - 1 to 0 do: 

2. z z 2 mod n; 

3. if di = 1 then z <— z x x mod n. 

In this computation, we see that - among the successive values taken by 
the z variable — the first ones depend on only a few bits of the secret key d. 
The fundamental hypothesis that enables the DPA attack is thus satisfied. As 
a result, we can guess for instance the 10 most significant bits of d by studying 
the consumption measures on the part of the algorithm corresponding to i going 
from m — 1 to m — 10. We can then continue the attack by using consumption 
measures on the part of the algorithm corresponding to i going from m — 11 to 
m ~ 20, which gives the 10 next bits of d r and so on. We finally find all the bits 
of the secret exponent d. 

The method described in section 3 also applies to securing the RSA algorithm. 
We use here a separation of each intermediate variable V (whose values lie in the 
multiplicative group of Z/nZ), occuring during the computation and depending 
on the inputs (or the outputs), into two variables Vi and V 2 (i.e. we take k —■ 2), 
and we choose the function f(vi,v 2 ) — v = v\ \v 2 mod n. We already saw in 
section 3 (cf "second example") that this function / satisfies condition 1. 

We thus replace x by (ari, x 2 ) such that x = Zi • X2 mod n and z by (2^, j2t 2 ) 
such that z — z\ • z 2 mod n (in practice, we can for instance choose Xi randomly 
and deduce x 2 ). Considering again the three steps of the "square-and-multiply" 
method, we perform the following transformations: 

1* z 4— 1 is replaced by z± 4— 1 and z 2 <— 1; 

2. z <— z 2 mod n is replaced by z\ z\ mod n and z 2 +— z 2 mod n\ 

3. z <— zxx mod n is replaced by z± ^— zi x xi mod n and z 2 +— z 2 x x 2 mod n. 

It is easy to check that the identity z = /(zi, z 2 ) remains true all along the 
computation, which shows that condition 2 is satisfied. 

Let us notice that the computations performed respectively on the z\ variable 
and on the z 2 variable are completely independent. We thus can imagine to 



perform the two computations either in a sequential way, or in an overlapped 
way, or simultaneously in the case of multiprogrammation, or simultaneously in 
different processors working concurrently 

7 Generalized Attacks 

Recently, more general attacks were introduced, where the attacker tries to cor- 
relate different points of a power consumption curve. We have no place here to 
analyze in detail the effect of this idea on the "Duplication Method" - However, 
it is possible to show that if each variable is splitted in, say, k variables, then 
the complexity of the implementation increases in 0(k), while the complexity of 
the attack increases exponentially in k. 

As concerns DES implementations, we also recommend, when it is possible, 
to use different S-Boxes for each smartcard (stored in EEPROM). In particular, 
this avoids some attacks which use a smartcard with a known key to help finding 
the key in another smartcard whose key is unknown. 

8 Conclusion 

In this paper, we investigate how the study of the electric consumption measures 
of an electronic device can be used by an attacker to get information about the 
secret key of the cryptographic algorithm computed by the chip. More precisely, 
we focus on the so-called Differential Power Attacks, which were recently intro- 
duced by Paul Kocher, and which use a statistical analysis of a set of consumption 
curves measured for many different inputs of the cryptographic algorithm. 

We study more precisely how DPA attacks work, and what precise hypotheses 
they rely on. We then present several ways of securing cryptosy stems. In par- 
ticular, concrete examples of such countermeasures are described in the cases of 
DES and RSA, which are the most used cryptographic algorithms at the present. 

To secure those algorithms, we essentially study the main idea that consists 
in splitting each intermediate variable, occuring in the computation, into two 
(or more) variables, such that the values of these new variables cannot be easily 
predicted. The obtained implementations can be proved to resist the "local" 
version of Differential Power Analysis (where the attacker only tries to detect 
local deviations in the differentials of mean curves). Nevertheless other attacks 
can be conceived, still using the analysis of electric consumption. We do not 
pretend to solve all security problems linked to these threats. These latter attacks 
are not only theoretical, since we found real products that are defeated by them, 
but it also shows that theoretical investigations have to be continued in that 
sensitive subject. 
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